Help with Backdoor Trojan Removal

Help! I have attached the logfile from hijackthis. I am not sure what all the processes are and I don't really want to delete things without knowing. I had a notification that I had a backdoor trojan called:

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard :wave: :wave:

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in oursecurity and the web forum.

As I suspected, your system was infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read this thread HERE and follow the instructions exactly. Post the requested log files once done.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in oursecurity and the web forum.

I ran the procedure the first time and it cleared all but one. I have attached the hijackthis file and the awf file. Does this mean there is still a virus on the computer somewhere that can't be found or cleaned? Or are there other methods (programs) to hunt down and destroy this virus? I don't even USE Aol (where the virus is contained). I ran ad-aware, spybot, mcafee8, stinger..can't remember what else.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Run the FindAWF tool option1 and attach the awf.txt as well as the Combofix log and a fresh HJT log.

Regards Howard

This thread is for the use of elise1074 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in oursecurity and the web forum.

Since you seem to be very knowledgeable about security and viruses I have a few more questions for you. Since I got this backdoor trojan, I would start up the computer and the microsoft virus notification would pop up saying that it had detected this trojan file. Earlier today, I went onto my firewall settings and discovered for whatever reason, I had set exceptions to the firewall (aol, itunes, explorer, realplayer..etc). I then unchecked all those so that there were no exceptions. I then restarted the computer with the no exceptions and the pop up from the task bar didn't come up to say it found the backdoor trojan. I repeated this three time. Still no trojan notification. I then did the cleaning process first time. ran again, second time, one bak dup file remaining (aol), then did it again with same result. Pasted the results in previous post. My main question in this rant is do you think by changing the settings on the firewall, it blocked either microsoft from scanning and communicating the trojan to me, or in fact is blocking the trojan itself? I also checked the "display a notification when firewall blocks a program". Any thoughts on this? Thanks

First, I am going to buy an external hard drive now and backup all my data folders. Next, I currently have system restore turned OFF (found that in another post on another site), before proceeding with your instructions, should I turn system restore back ON or keep it OFF during the instructions you posted?

I just rebooted and when it came back up, the spybot registry change notification popped up. It said the changed value was to delete the LOC control. Yes, that is one of the things we deleted in the executable. Should I allow the change (accept registry deletion) that the spybot is indicating?

I think I may have allowed it in with the Spybot tea timer (program gives you choices to allow or deny registry changes). I rebooted and the backdoor virus was back. So I have attached the hijack and awf files. ARRRGHHHHH!!!!

Ok, so I told you originally that this window (Microsoft Windows Malicious Scan) would pop up from the system tray that said malicious something (don't remember) was found. So when I would bring this up, It would say that it detected the Backdoor:win32/zonebac_gen!B as Malware, but said it was not removed. It did not give ANY location of ANY files. So then I used the same software (Microsoft Windows Malicious Software Removal Tool Nov. 2007) and did a full system scan. When I performed this, it said there were no detections and this backdoor:win32 is one of the things it looks for. So that is VERY ODD that the system tray notification system pops up with this trojan, but the full system scan using the same software doesn't find it!!!

Also to note, the night before this supposed malicious trojan was found, Microsoft did an automatic update and downloaded some files. The computer remained on over night and that is when microsoft downloaded the update. The next day the computer was rebooted and that is when this supposed malicious trojan popped up as detected, but not removed.

Quite coincidental don't you think? So now I am thinking that whatever update was released had a bug in it or something. Should I email microsoft?

What do you think?? Especially since you said the files were cleaned. Doesn't make any sense. The timing is just too coincidental to the update and the "trojan" popping up from the system tray, but not in the full system scan.

Thanks for all your help. I now know a little more about viruses, how some create backup folders. Quite interesting. You certainly do great work. I see you helping lots of people on this forum. You are a great person to do this work and thanks again.

I did email Microsoft. Maybe they will reply to my email.

thanks again. If I have anymore trouble, I will know where to look in the future!!